Description
Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
Published: 2026-06-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vim's netrw plugin contains a code injection flaw in the NetrwBookHistSave() function where directories are recorded into the ~/.vim/.netrwhist file. Because the directory names are interpolated into a single‑quoted Vimscript string without quoting inner single quotes, a user that can create a specially crafted directory name can break out of the string literal and execute arbitrary Vimscript, including system() and :! commands, when the history file is later sourced. The attacker can gain unrestricted code execution on the local machine that runs Vim, allowing full confidentiality, integrity, and availability compromise for that user.

Affected Systems

All users of Vim, version 9.2.0494 and earlier, are affected. Vendors: Vim. The vulnerability was patched in release 9.2.0495, so any installation of that version or later is safe.

Risk and Exploitability

With a CVSS base score of 7.3, the vulnerability is considered high severity. The EPSS score of 0.00269 indicates a very low but non‑zero exploitation probability. Exploitation requires the attacker to have the ability to create a directory with a crafted name on the local file system that Vim can access, and the victim must launch Vim and source the history file, which normally occurs on startup. Therefore the attack vector is local; it is not publicly exploitable over a network. The vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation activity at present.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vim to version 9.2.0495 or newer to apply the patch.
  • If an upgrade cannot be applied immediately, delete or set the file ~/.vim/.netrwhist to read‑only, and avoid creating directories that contain single quotes until the upgrade is completed.
  • Disable the netrw plugin by removing or commenting out the command that loads it, preventing the vulnerable NetrwBookHistSave() function from executing.

Generated by OpenCVE AI on June 30, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8451-1 Vim vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-140
References
Metrics threat_severity

None

threat_severity

Important


Sat, 13 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Fri, 12 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Vim
Vim vim
Vendors & Products Vim
Vim vim

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
Title Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name
Weaknesses CWE-74
CWE-94
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:02.279Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47162

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:10.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T19:16:44.160

Modified: 2026-06-13T01:04:09.357

Link: CVE-2026-47162

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T18:32:14Z

Links: CVE-2026-47162 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:05Z

Weaknesses
  • CWE-140

    Improper Neutralization of Delimiters

  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')